Many, many problems. (Samba 2.2.0)

Wed Apr 25 18:56:15 GMT 2001

First off, I'll start out with the environment we're using:

Solaris 7 (Kernel patch 106541-15) running on an E3500
Samba 2.2.0 (we were using 2.0.6, but upgraded because we thought it would
help)
We recently migrated to a Win2K environment.

I should also preface this by mentioning that we have fully read through the
documentation, have searched the mailing list archives for two days
straight, and read all of the text and html documentation pertaining to
these problems (and run through all the tests in DIAGNOSTICS.txt at least
three times)

We are building this machine to try and replace an NT box, and these
problems are preventing us from doing so.
The box is not supposed to act as a PDC, we simply want it to share certain
directories on this machine, and preferably authenticate users from the
domain's PDC.

First problem:

The option "security = domain" does not seem to work properly.  Here is the
smb.conf file we were using to try this out: (omitted information replaced
by text in [])

[global]
        lock directory = /var/adm/sambalock
        server string = [hostname]
        password server = [our domain pdc and bdcs, we also tried using *
here]
        encrypt passwords = yes
        security = domain
        preferred master = no
        wins support = no
        socket options = TCP_NODELAY
        workgroup = [our workgroup]
        log file = /usr/local/samba/var/log.%m
        max log size = 50
        domain master = no
        local master = no
        wins server = [xx.xx.xx.xx]
        wins proxy = no
        dns proxy = no
        hide dot files = no
        netbios name = [hostname]

[iwdefault]
        comment = archive directory
        path = [path]
        read only = No
        create mask = 0775
        locking = No
        share modes = No

We then added the machine to the domain from one of the Win2K boxes, and ran
smbpasswd -j [DOMAIN] -r [PDC].  From what our NT admin was trying to
explain to us, it sounds like Win2k has decentralized its environment, so
there is no single primary domain controller, and multiple machines have
access to the SAM.  Regardless, we were still pointing to the old PDC.  We
then put some users into the smbpasswd file, with the same password they use
for the NT domain.

Clicking on the machine in network neighborhood on a Win2k box and an NT4
box displays the message "\\[machine] is not accessible.  Access denied."
Looking at the logs, it says that the PDC refused the authentication.  All
three passwords (NT domain, smbpasswd, and UNIX password for that account)
are all identical.

After trying to fix this unsuccessfully for a long time, we decided that we
had a second option.  To spare all the details, it would rely on using unix
password sync to update the UNIX password after changing the smbpasswd
entry.  This also does not work.

Here is the smb.conf file we are trying out with the second option:

[global]
  lock directory = /var/adm/sambalock
  server string = [hostname]
  encrypt passwords = Yes
  preferred master = no
  wins support = no
  security = user
  socket options = TCP_NODELAY
  workgroup = [workgroup]
  log file = /usr/local/samba/var/log.%m
  log level = 5
  max log size = 50
  domain master = no
  local master = no
  wins server = [wins server]
  wins proxy = no
  wins support = no
  dns proxy = no
  hide dot files = no
  unix password sync = yes
  passwd chat = *word* %n\n *word* %n\n *changed*
  passwd chat debug = yes
  passwd program = /usr/bin/passwd %u

[iwserver]
  comment = test directory
  public = no
  create mode = 0775
  writable = yes
  locking = no
  share modes = no
  preserve case = yes
  short preserve case = yes
  path = [path]